United States: Standing Guard – Digital Risk Advisory And Cybersecurity Team

The Digital Assets and Data Management (DADM) Practice Group offers holistic, enterprise-wide risk solutions to clients around "everything data." The multidisciplinary new addition – chaired by Theodore J. Kobus III – is a strategic outgrowth of the firm's world-class Privacy and Data Protection and Advertising, Marketing and Digital Media teams, combined with the innovative legal technology R&D team IncuBaker. It is comprised of more than 100 award-winning attorneys, technologists and support professionals from six diverse teams, enabling clients to better understand and navigate the intersection of digital business, emerging technologies and the law. The following offers an introduction to one of those teams.

DADM exists to help organizations address risks throughout the life cycle of data (both from using it inappropriately or failing to use it effectively) and security. The Digital Risk Advisory and Cybersecurity (DRAC) team works with organizations before, during, and after cybersecurity incidents to guide them as they develop, prioritize, and implement risk-based solutions to address these dynamic risks. Our services cover four areas:

• Digital risk advisory – It is a priority for us to help organizations minimize their chance of experiencing a significant security incident. Our attorneys use their technical capabilities and experience from leading organizations through thousands of incidents to identify and eliminate activities most likely to result in a significant incident, litigation, and regulatory scrutiny. The result is an enhanced security posture, increased resiliency, and stronger compliance, which reduce risk to the organization's reputation and operations.
• Incident response preparedness – Recognizing that things may go wrong with even the best program in place, our team helps organizations build practical, enterprise-wide incident response plans and playbooks for specific response team roles. We also conduct customized incident response training and data breach simulation exercises for incident response teams, executive teams, and directors.
• Incident response – When an incident occurs, our attorneys draw upon technical knowledge and incident response experience to help clients respond quickly and correctly. Our team has the experience, flexibility, and resources to develop the right strategy to address everything from a local incident faced by a small organization to a global crisis faced by a multinational corporation.
• Post-Incident – After an incident is disclosed, we lead organizations through investigations by state attorneys general, federal agencies, and international data protection authorities. When the incident involves payment card data, we help merchants build effective strategies to address implementation of secure payment technology, validate PCI DSS compliance, and address payment card network liability assessments.

Our 40-attorney DRAC team includes attorneys with complementary capabilities who operate within and support attorneys on the five other DADM teams. Here are some examples:

• Emerging Technology – Blockchain and artificial intelligence present expanding opportunities for innovation, but also new privacy, security, and regulatory risks. Our teams' combined experience enables us to support organizations as they innovate, such as when we helped an organization evaluate the security and privacy risks and advantages of a security platform that used blockchain technology for database security and access management.
• Advertising, Marketing, and Digital Media – There is a lot of overlap between our teams when supporting issues created by e-commerce, loyalty programs, and defense of regulatory investigations.
• Privacy and Digital Risk Class Action and Litigation – When a lawsuit is filed after a breach, our incident response attorneys serve as a liaison to the litigation team to ensure an efficient and effective defense. Through this collaboration, we maintain continuity of key facts from day one of an incident, build defensible limits on discovery, support the development of expert testimony, and prepare and defend witnesses during scrutiny of on the organization's security posture and response efforts.
• Privacy Governance – Building a compliance program to address GDPR and CCPA obligations includes implementing "reasonable security" and appropriate organizational and technical measures. We work with the attorneys building the compliance program to conduct "reasonable security" assessments with the complex litigation and regulatory landscape in mind to help defend against regulatory inquiries or private actions alleging unreasonable security.
• Increasing the Value of Data – Our teams combine to use machine learning to generate valuable insights about an organization's operations, such as fraud detection and account takeovers, locating sensitive data, and better understanding consumer behaviors.
• Technology Transactions – Often the last terms to close out a deal relate to indemnification and limits of liability for privacy and security issues. We leverage our compromise response intelligence (types of incidents, order of magnitude, first-party costs and third-party liability data) drawn from thousands of incidents to help clients develop vendor management programs and negotiate appropriate limits and contractual rights.
• Healthcare Privacy and Compliance – Our teams join to evaluate the privacy and security issues related to connected medical devices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.